Correct CentOS 7 SSH configuration

ssh centos7 selinux firewalld
5,393

Solution 1

It seems that I have found something in the CSF + LFD, as all our machines that couldn't connect are using them. The adding of additional IPs and ports to the allow rules on the SSH client wouldn't have helped (tried it already - still couldn't connect), as suggested by @BaZZiliO in the comments. A restart of lfd + csf allowed me to connect immediately:

 service lfd restart  
 csf -r

The reason why I didn't think of disabling or restarting the firewall on the SSH client was that it was initially functioning properly, so I thought that it was a configuration issue.

As for the CentOS 7 configurations written in the question, they are correct and function properly, so they are good for cofiguration testing purposes (not recommended in production environments without further security configurations).

Thank you all for your help and I hope that someone will benefit from this discussion.

Regards.

Solution 2

Sounds like even though you've said that you've disabled SELinux, you probably haven't. Editing /etc/sysconfig/selinux by itself isn't enough to disable it, you'd need reboot for it to take effect (or issue setenforce 0).

Anyways, if that's true then SELinux is blocking a non-standard SSH port (7890) from accepting connections. To enable it, you'd have to relabel the port as so:

semanage port -a -t ssh_port_t -p tcp 7890

Following that, your SSH connectivity will probably work as intended.

Consider what some of the people saying "why are you doing this?" are saying - using a non-standard SSH port is security through obscurity at best. Ensure you harden the service even further once you get it working.

Share:
5,393

Related videos on Youtube

Havri
Author by

Havri

Updated on September 18, 2022

Comments

  • Havri
    Havri almost 2 years

    I'm having some trouble changing the ports on a new CentOS 7 (minimal) machine (IP 11.22.33.44). To log into the new machine, I use a proxy VPS (let's say, IP 88.99.100.101).

    I edited the /etc/sysconfig/selinux file to disable SElinux and rebooted. 

    [root@host ~]# getenforce  
Disabled

    After I disable selinux and restart the machine, I edit the /etc/ssh/sshd_config and change the Port entry from 22 to let's say 7890 (just an example) + systemctl restart sshd.

    Then I copy the default ssh xml configuration file for firewalld from /usr/lib/firewalld/services/ssh.xml to /etc/firewalld/services/ssh.xml and change the port from 22 to 7890 + firewall-cmd reload.

    I also make the change permanent in firewalld:

    firewall-cmd --zone=public --add-port=7890/tcp --permanent

    The problem comes when I try to log through SSH to the new CentOS 7 machine from a different VPS. The login from the initial VPS still works after the changes are made to the port number, but no new machines can connect to the CentOS 7 machine.

    The error that I'm getting is:

    ssh: connect to host 11.22.33.44 port 7890: Connection timed out

    This is the output from my ss -ntulp:

    tcp   LISTEN     0      128      *:7890          *:*      users:(("sshd",5566,3))

    The thing is that if I change the SSH port back to the default 22 value, then every machine can connect to it without any problems (after I edit the two files ssh.xml and sshd_config to the default 22 port).

    There must be something that I'm missing or doing wrong. Can someone point me in the right direction?

    Thank you.

    • Michael Hampton
      Michael Hampton almost 9 years
      3888 and 7890 are not the same port!
    • Havri
      Havri almost 9 years
      Sorry, I edited to reflect the same ports. Was a bad on my typing.
    • Michael Hampton
      Michael Hampton almost 9 years
      Plus, there is no good reason to change the ssh port number anyway. You don't gain anything in security, and in fact you have already lost a significant amount of security (by disabling SELinux)!
    • Havri
      Havri almost 9 years
      I haven't had the chance to work much with SElinux yet, but I don't think that that's my problem here. Appreciate your concern, though. :)
    • Jakuje
      Jakuje almost 9 years
      what do you mean by "disabled selinux"? There are three modes. What does getenforce returns?
    • Havri
      Havri almost 9 years
      I edited the /etc/sysconfig/selinux file to disable SElinux. I've also edited the post to reflect the SElinux disabling method.
    • Michael Hampton
      Michael Hampton almost 9 years
      The problem is that you should not be doing any of this at all!
    • Havri
      Havri almost 9 years
      This machine is only for testing different configurations (SSH, firewalld, etc.). I have disabled SElinux just for the moment, to get the hang of the SSH configuration and the new firewalld. I am just trying to change the port for the SSH and that's it. There is no security concern in the environment (private LAN).
    • thrig
      thrig almost 9 years
      What does iptables -n --list show? There may be other rules that affect the connection, or perhaps whatever the public zone is does not apply for some reason...
    • Havri
      Havri almost 9 years
      I put only the port part from the iptables -n --list: iptables -n --list | grep 7890 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7890 ctstate NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7890 ctstate NEW Let me know if you need the whole output.
    • BaZZiliO
      BaZZiliO almost 9 years
      you should add output of: * on server host iptables -nL INPUT from the start to your accept ssh connection rule. * On client host - iptables -nL OUPUT * Check if there're any firewall devices is located between client and server. * I think, the best option is add rule like: on server: iptables -I INPUT -s <client_ipaddr> -J ACCEPT on client : iptables -I OUTPUT -d <server_ipaddr> -J ACCEPT
    • Havri
      Havri almost 9 years
      I ran the iptables command you gave me with the appropriate IP, but it didn't work. I should mention again that if I put the default 22 SSH port, everything works (from all other machines), regardless of the clients' IP address. Should other files be edited as well if I want to change the SSH port, other than ssh.xml and sshd_config?
  • Havri
    Havri almost 9 years
    I edited the post to reflect that I did reboot the machine after I disabled SElinux from /etc/sysconfig/selinux file. Getenforce returns Disabled.
  • Havri
    Havri almost 9 years
    Also, it is indeed a temporary security through obscurity, just until this problem is solved.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

fail2ban doesn't add IPs to ipset (firewalld)
The task includes an option with an undefined variable
Linux console: "Unable to get valid context for..."
How to enable CentOS 7 to connect to an external SMTP?
sshd[4344]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument?
centos 7 - yum update failed
drop ip blacklist with firewalld centos 7
Not able to access Tomcat webserver from another machine in the LAN
Restore file permission on CentOS 7
Unable to start OpenSSH service in CentOS 7.1